Security
Webhook signing secrets can be used to verify that incoming requests genuinely originate from our systems and haven’t been tampered with. These secrets are available in the Svix Portal, accessible via the Webhooks page in your dashboard.
Sohar webhooks use Svix for secure message delivery. To verify the authenticity of these webhooks, you must:
- Use the provided webhook secret.
- Extract and process the
svix-id
,svix-timestamp
, andsvix-signature
headers. - Use the raw body of the request to compute the HMAC signature.
Install the Svix SDK
This is a JavaScript example. Other language examples are available in the Svix documentation.
Use the Webhook Verifier
Always use the raw request body when verifying webhooks, as even minor changes can invalidate the cryptographic signature. Be cautious with frameworks that automatically parse and re-serialize JSON bodies - this transformation can alter the payload and cause signature verification to fail.